Guest 2Sweet Posted January 15, 2008 Posted January 15, 2008 When double-click 'C' or 'D' drive in "My Computer", it goes to the link http://www.nhanhlen.com/ intead of showing the content of the drive. Could it be the workstation infected by virus? Symantec antivirus did not detect virus after performed a full scan. Quote
Guest Volodymyr Shcherbyna Posted January 15, 2008 Posted January 15, 2008 This can be an adware, which is represented as BHO (Browser Helper Object) which hooks DocumentComplete & BeforeNavigate events, since when you go to some folder location, these events are fired, adware takes control, retrieves the path of a folder, and makes popup. Try to change the AV, or try to remove the registered BHO extension. -- Volodymyr "2Sweet" <cmchong20@yahoo.com> wrote in message news:e38NlN1VIHA.1208@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > When double-click 'C' or 'D' drive in "My Computer", it goes to the link > http://www.nhanhlen.com/ intead of showing the content of the drive. > Could it be the workstation infected by virus? Symantec antivirus did not > detect virus after performed a full scan. > </span> Quote
Guest 2Sweet Posted January 15, 2008 Posted January 15, 2008 Thanks for the response! Can guide me how to remove the registered BHO extension? "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org> wrote in message news:O$wvQR1VIHA.3400@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > This can be an adware, which is represented as BHO (Browser Helper Object) > which hooks DocumentComplete & BeforeNavigate events, since when you go to > some folder location, these events are fired, adware takes control, > retrieves the path of a folder, and makes popup. > > Try to change the AV, or try to remove the registered BHO extension. > > -- > Volodymyr > > "2Sweet" <cmchong20@yahoo.com> wrote in message > news:e38NlN1VIHA.1208@TK2MSFTNGP03.phx.gbl...<span style="color:green"> >> When double-click 'C' or 'D' drive in "My Computer", it goes to the link >> http://www.nhanhlen.com/ intead of showing the content of the drive. >> Could it be the workstation infected by virus? Symantec antivirus did >> not detect virus after performed a full scan. >></span> > > </span> Quote
Guest Volodymyr Shcherbyna Posted January 15, 2008 Posted January 15, 2008 http://www.microsoft.com/windowsxp/using/w...donmanager.mspx But usually, I open regedit and look at the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects It contains list of GUIDS - these are class ids of COM extensions (in a simple words, GUID is some long and strange number). Basically, edit the GUID, for example, my first GUID is: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} I just edit it by changing the first elements, {BLA49E9F-C8D7-4D59-B87D-784B7D6BE0B3}and then you can try to check, whether the bug disappeared or not. If not, restore the original value of GUID and play with second GUID. Also, remember, that adwares and other crap tryies to restore it's GUIDs in BHO registry keys. So, if you delete the entry from registry, it appears there again within second. This also can be checked. -- Volodymyr "2Sweet" <cmchong20@yahoo.com> wrote in message news:uXHaxg1VIHA.5596@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Thanks for the response! > Can guide me how to remove the registered BHO extension? > > > "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org> wrote in message > news:O$wvQR1VIHA.3400@TK2MSFTNGP03.phx.gbl...<span style="color:green"> >> This can be an adware, which is represented as BHO (Browser Helper >> Object) which hooks DocumentComplete & BeforeNavigate events, since when >> you go to some folder location, these events are fired, adware takes >> control, retrieves the path of a folder, and makes popup. >> >> Try to change the AV, or try to remove the registered BHO extension. >> >> -- >> Volodymyr >> >> "2Sweet" <cmchong20@yahoo.com> wrote in message >> news:e38NlN1VIHA.1208@TK2MSFTNGP03.phx.gbl...<span style="color:darkred"> >>> When double-click 'C' or 'D' drive in "My Computer", it goes to the link >>> http://www.nhanhlen.com/ intead of showing the content of the drive. >>> Could it be the workstation infected by virus? Symantec antivirus did >>> not detect virus after performed a full scan. >>></span> >> >></span> > > </span> Quote
Guest Volodymyr Shcherbyna Posted January 15, 2008 Posted January 15, 2008 Also, this tool: http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx will help you to manage explorer's BHO's. -- Volodymyr "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org> wrote in message news:%235cBjp1VIHA.4196@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > http://www.microsoft.com/windowsxp/using/w...donmanager.mspx > > But usually, I open regedit and look at the following key: > HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser > Helper Objects > > It contains list of GUIDS - these are class ids of COM extensions (in a > simple words, GUID is some long and strange number). Basically, edit the > GUID, for example, my first GUID is: > {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} > > I just edit it by changing the first elements, > {BLA49E9F-C8D7-4D59-B87D-784B7D6BE0B3}and then you can try to check, > whether the bug disappeared or not. If not, restore the original value of > GUID and play with second GUID. > > Also, remember, that adwares and other crap tryies to restore it's GUIDs > in BHO registry keys. So, if you delete the entry from registry, it > appears there again within second. This also can be checked. > > -- > Volodymyr > > "2Sweet" <cmchong20@yahoo.com> wrote in message > news:uXHaxg1VIHA.5596@TK2MSFTNGP05.phx.gbl...<span style="color:green"> >> Thanks for the response! >> Can guide me how to remove the registered BHO extension? >> >> >> "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org> wrote in message >> news:O$wvQR1VIHA.3400@TK2MSFTNGP03.phx.gbl...<span style="color:darkred"> >>> This can be an adware, which is represented as BHO (Browser Helper >>> Object) which hooks DocumentComplete & BeforeNavigate events, since when >>> you go to some folder location, these events are fired, adware takes >>> control, retrieves the path of a folder, and makes popup. >>> >>> Try to change the AV, or try to remove the registered BHO extension. >>> >>> -- >>> Volodymyr >>> >>> "2Sweet" <cmchong20@yahoo.com> wrote in message >>> news:e38NlN1VIHA.1208@TK2MSFTNGP03.phx.gbl... >>>> When double-click 'C' or 'D' drive in "My Computer", it goes to the >>>> link http://www.nhanhlen.com/ intead of showing the content of the >>>> drive. >>>> Could it be the workstation infected by virus? Symantec antivirus did >>>> not detect virus after performed a full scan. >>>> >>> >>></span> >> >></span> > > </span> Quote
Guest David H. Lipman Posted January 15, 2008 Posted January 15, 2008 From: "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org> | This can be an adware, which is represented as BHO (Browser Helper Object) | which hooks DocumentComplete & BeforeNavigate events, since when you go to | some folder location, these events are fired, adware takes control, | retrieves the path of a folder, and makes popup. | Try to change the AV, or try to remove the registered BHO extension. | -- | Volodymyr If it was a BHO was is it affecting Explorer and NOT Internet Explorer ? -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest David H. Lipman Posted January 15, 2008 Posted January 15, 2008 From: "2Sweet" <cmchong20@yahoo.com> | When double-click 'C' or 'D' drive in "My Computer", it goes to the link | http://www.nhanhlen.com/ intead of showing the content of the drive. | Could it be the workstation infected by virus? Symantec antivirus did not | detect virus after performed a full scan. For non-viral malware... Please download, install and update the following software... Ad-aware SE 2007 http://www.lavasoft.de/ http://www.lavasoftusa.com/ http://www.lavasoft.de/ms/index.htm SpyBot Search and Destroy v1.4 http://security.kolla.de/ http://www.safer-networking.org/microsoft.en.html SuperAntiSpyware http://www.superantispyware.com/superantis...efreevspro.html After the software is updated, I suggest scanning the system in Safe Mode. I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects that may be on the PC. BHODemon http://www.majorgeeks.com/downloadget.php?...04332b4b8b8442d For viral malware... Download MULTI_AV.EXE from the URL -- http://www.pctipp.ch/downloads/dl/35905.asp To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. Additional Instructions: http://pcdid.com/Multi_AV.htm Please report back your results -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Volodymyr Shcherbyna Posted January 15, 2008 Posted January 15, 2008 Events from Windows Explorer also fires DocumentComplete and BeforeNavigate, and the path is the path from address bar of Windows Explorer. -- Volodymyr "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23TtfVw2VIHA.3556@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "Volodymyr Shcherbyna" <v_scherbina@online.mvps.org> > > | This can be an adware, which is represented as BHO (Browser Helper > Object) > | which hooks DocumentComplete & BeforeNavigate events, since when you go > to > | some folder location, these events are fired, adware takes control, > | retrieves the path of a folder, and makes popup. > > | Try to change the AV, or try to remove the registered BHO extension. > > | -- > | Volodymyr > > > If it was a BHO was is it affecting Explorer and NOT Internet Explorer ? > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest fjsalim Posted April 5, 2008 Posted April 5, 2008 I just fixed this problem from my computer a few minutes ago and have restarted my system, so this is a verified solution. The problem began when I plugged in a USB drive that has been in contact with a public PC. Treatment: Run the file 'autoruns' available from the zip file downloadable from <http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx>. Go to the second tab ('Logon'), untick the entry 'shell.dll.exe' and then right-click it to select delete. If warned, give your affirmative to delete. (You may want to try deleting it straightaway instead of unticking first, I am just retelling how I did it.) in WINDOWS directory (e.g. C:\WINDOWS), remove the file 'shell.dll.exe' Note that the file 'shell.dll' - without the .exe extension - should be in \WINDOWS\SYSTEM32, \WINDOWS\SYSTEM and \WINDOWS\SYSTEM32\dllcache folders [http://icrontic.com/forum/showpost.php?p=167042&postcount=4]. go to Task Manager (i.e. press CTRL-ALT-DEL), go to the Process tab, click on 'web.exe' and then click the button End Process. Do the same to 'shell.dll.exe' i.e. End Process the 'shell.dll.exe'. then go to My Computer, RIGHT-CLICK (do not double-click!!) on your fixed drives (e.g. C and D), click EXPLORE. Delete the files 'autorun.inf' and 'web.exe' in each drive. Then delete these files from the Recycle Bin too. At this stage, left-clicking your fixed drives will still go to the autoplay. It will prompt that 'web.exe' cannot be found. Right-clicking the drives will, on the other hand, show a bolded autoplay i.e. the default action for double-clicking the drive. Restart the system and the above-mentioned autoplay on the fixed drives won't be there anymore. "2Sweet" wrote: <span style="color:blue"> > When double-click 'C' or 'D' drive in "My Computer", it goes to the link > http://www.nhanhlen.com/ intead of showing the content of the drive. > Could it be the workstation infected by virus? Symantec antivirus did not > detect virus after performed a full scan. > > > </span> Quote
Guest fjsalim Posted April 5, 2008 Posted April 5, 2008 I forgot to add that you will need to change the files-view settings in the windows explorer to see the relevant files. Go to windows explorer (e.g. by going to My Computer), go the menu Tools (ALT-T), click Folder Options..., choose the tab View, activate Show Hidden Files And Folders and UNtick the Hide Protected Operating System Files (Recommended) and, for the latter, click Yes when they ask whether you are sure. Click OK at the Folder Options dialog box. Do the opposite after you restart your computer doing the steps in the previous post. I.e. DEactivae Show Hidden Files And Folders and retick the Hide Protected Operating System Files (Recommended). Click OK at the Folder Options dialog box. "fjsalim" wrote: <span style="color:blue"> > I just fixed this problem from my computer a few minutes ago and have > restarted my system, so this is a verified solution. The problem began when I > plugged in a USB drive that has been in contact with a public PC. > > Treatment: > Run the file 'autoruns' available from the zip file downloadable from > <http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx>. Go to the > second tab ('Logon'), untick the entry 'shell.dll.exe' and then right-click > it to select delete. If warned, give your affirmative to delete. (You may > want to try deleting it straightaway instead of unticking first, I am just > retelling how I did it.) > > in WINDOWS directory (e.g. C:WINDOWS), remove the file 'shell.dll.exe' > Note that the file 'shell.dll' - without the .exe extension - should be in > WINDOWSSYSTEM32, WINDOWSSYSTEM and WINDOWSSYSTEM32dllcache folders > [http://icrontic.com/forum/showpost.php?p=167042&postcount=4]. > > go to Task Manager (i.e. press CTRL-ALT-DEL), go to the Process tab, click > on 'web.exe' and then click the button End Process. Do the same to > 'shell.dll.exe' i.e. End Process the 'shell.dll.exe'. > > then go to My Computer, RIGHT-CLICK (do not double-click!!) on your fixed > drives (e.g. C and D), click EXPLORE. Delete the files 'autorun.inf' and > 'web.exe' in each drive. Then delete these files from the Recycle Bin too. At > this stage, left-clicking your fixed drives will still go to the autoplay. It > will prompt that 'web.exe' cannot be found. Right-clicking the drives will, > on the other hand, show a bolded autoplay i.e. the default action for > double-clicking the drive. > > Restart the system and the above-mentioned autoplay on the fixed drives > won't be there anymore. > > > "2Sweet" wrote: > <span style="color:green"> > > When double-click 'C' or 'D' drive in "My Computer", it goes to the link > > http://www.nhanhlen.com/ intead of showing the content of the drive. > > Could it be the workstation infected by virus? Symantec antivirus did not > > detect virus after performed a full scan. > > > > > > </span></span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.